Detail on kiosk fault too risky to release: MSD

The security fault labelled "critical" in Security-Assessment.com's May 2011 report on the Ministry of Social Development's kiosk systems was promptly fixed, but MSD still declines to provide detailed information on the reasons for suppressing details of the fault under the Official Information Act.

Ministry of Social Development declines to give more information on reasons for suppressing details of breach

Email this to a friend

Characters remaining:

What is A + B?

The security fault labelled "critical" in Security-Assessment.com's May 2011 report on the Ministry of Social Development's kiosk systems was promptly fixed, but MSD still declines to provide detailed information on the reasons for suppressing details of the fault under the Official Information Act.

The public kiosks were exposed by blogger Keith Ng in October as having major security flaws which enabled private information to be exposed. Three inquiries were immediately launched, including one by Deloitte into what happened.

Even to discuss why information on the critical vulnerability was withheld would risk "disclosing information about how to hack into the system" and potentially other similar systems, says a spokeswoman passing on comment from the ministry's "OIA team".

Warning of the critical fault occurs on Page 7 of Dimension Data subsidiary Security-Assessment's "kiosk review". The copy of that report released alongside the analysis of the failing by consultancy Deloitte names only one reason for withholding details -- Section 6(c) of the OIA, which says release might "prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial".

A later copy of the report, linked from a Computerworld article on November 21, adds a reference to Section 9(2)(k) under which information can be withheld to "prevent the disclosure or use of official information for improper gain or improper advantage."

This is not an additional ground thought up this month, the MSD spokeswoman says; it was simply omitted in the first publication of the report; "there were always two grounds."

Other vulnerabilities, given the lower grading of "urgent", remained unfixed after the Security-Assessment report and were used by Keith Ng to gain access to restricted files on MSD's network, in order to demonstrate the failures.

The Deloitte report deals only with the specific question of the self-service kiosks. A report on possible security holes in MSD's systems on a broader front is awaited.

Government CIO Colin MacDonald has also commissioned a review of security over all government systems.